[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command
Fraser Tweedale
ftweedal at redhat.com
Fri May 13 05:06:09 UTC 2016
On Fri, May 13, 2016 at 02:48:41PM +1000, Fraser Tweedale wrote:
> On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> > The patch itself is fine.
> >
> > I'm just struggling with where this script should exist.
> >
> > pki-server ca-cert-db-upgrade seems like an awfully generic description
> > for this operation - which basically provides a very specific db
> > migration. For that matter, why not ca-db-upgrade?
> >
> My thinking was that, in the future, whatever DB upgrades are needed
> for a subsystem could be added to the command.
>
> So on that, I take your point re "ca-db-upgrade" and will cut a new
> patch with that command name.
>
New patch attached.
Cheers,
Fraser
-------------- next part --------------
From 7dbd0eaf6ca82c872f48995b98fc4b41e6225699 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 9 May 2016 17:00:54 +1000
Subject: [PATCH] Add pki-server ca-db-upgrade command
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
---
base/server/python/pki/server/cli/ca.py | 81 +++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..428345db4c1c4e7fccbdd01510bde5a5aeae8db6 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -22,6 +22,8 @@ from __future__ import absolute_import
from __future__ import print_function
import getopt
import io
+import ldap
+import nss.nss as nss
import os
import shutil
import sys
@@ -38,6 +40,7 @@ class CACLI(pki.cli.CLI):
self.add_module(CACertCLI())
self.add_module(CACloneCLI())
+ self.add_module(CADBUpgrade())
class CACertCLI(pki.cli.CLI):
@@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI):
finally:
shutil.rmtree(tmpdir)
+
+
+class CADBUpgrade(pki.cli.CLI):
+ def __init__(self):
+ super(CADBUpgrade, self).__init__(
+ 'db-upgrade', 'Upgrade certificate records')
+
+ def usage(self):
+ print('Usage: pki-server ca-db-upgrade [OPTIONS]')
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' -v, --verbose Run in verbose mode.')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, args):
+ try:
+ opts, _ = getopt.gnu_getopt(
+ args, 'i:v', ['instance=', 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.usage()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.usage()
+ sys.exit(1)
+
+ nss.nss_init_nodb()
+
+ instance = pki.server.PKIInstance(instance_name)
+ instance.load()
+
+ subsystem = instance.get_subsystem('ca')
+ base_dn = subsystem.config['internaldb.basedn']
+ conn = subsystem.open_database()
+ try:
+ entries = conn.ldap.search_s(
+ 'ou=certificateRepository,ou=ca,%s' % base_dn,
+ ldap.SCOPE_ONELEVEL,
+ '(&(objectclass=certificateRecord)(!(issuerName=*)))',
+ None)
+ for entry in entries:
+ self.__add_issuer(conn, entry)
+ finally:
+ conn.close()
+
+ @staticmethod
+ def __add_issuer(conn, entry):
+ dn, attrs = entry
+ attr_cert = attrs.get('userCertificate;binary')
+ if not attr_cert:
+ return # shouldn't happen, but nothing we can do if it does
+
+ cert = nss.Certificate(bytearray(attr_cert[0]))
+ issuer_name = str(cert.issuer)
+
+ try:
+ conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+ except ldap.LDAPError as e:
+ print(
+ 'Failed to add issuerName to certificate {}: {}'
+ .format(attrs.get('cn', ['<unknown>'])[0], e))
--
2.5.5
More information about the Pki-devel
mailing list